CVE-2025-55203

Name of the Vulnerable Software and Affected Versions: Plane versions prior to 0.28.0

Description: Plane is open-source project management software. A stored cross-site scripting (XSS) vulnerability exists in the description html field. This flaw allows an attacker to inject malicious JavaScript code that is stored and later executed in other users’ browsers. The description html field is not properly sanitized or escaped. An attacker can submit crafted JavaScript payloads that are saved in the application’s database. When another user views the affected content, the injected code executes in their browser, running in the application’s context and bypassing standard security protections. Successful exploitation can lead to session hijacking, theft of sensitive information, or forced redirection to malicious sites. This vulnerability can also be chained with CSRF attacks to perform unauthorized actions, or leveraged to distribute malware and exploit additional browser vulnerabilities.

Recommendations: Update to version 0.28.0 or later.